Last Updated: April 2026
This Data Processing Agreement ("DPA") establishes the terms under which Regulars Inc. ("Processor") processes personal data on behalf of our business customers ("Data Controller"). This agreement supplements our Terms of Service and Privacy Policy. Where there is any conflict between this DPA and other governing documents, this DPA shall take precedence regarding data processing activities.
This DPA applies to all personal data processed by Regulars in the course of providing the customer intelligence platform and related services to business customers. Personal data includes information about business customers' employees, customers, and any other individuals whose data is collected through or processed by the Regulars platform.
For the purposes of this DPA, Regulars acts as a Processor, and our business customers act as Data Controllers responsible for determining the purposes and means of data processing. Customers are responsible for ensuring they have lawful bases for data collection and that appropriate privacy notices are provided to data subjects.
Regulars processes customer data exclusively for the following purposes:
Providing and maintaining the platform services. Processing and tracking customer check-ins, operator-configured member pricing, platform engagement, and, where an approved integration is enabled, transaction data for reconciliation and reporting. Generating business analytics and reporting. Complying with legal obligations. Improving and optimizing the Service.
Regulars shall not use personal data for any other purpose without prior written consent from the Data Controller. Any use of data for secondary purposes must be explicitly authorized and documented.
The personal data processed by Regulars may include:
Individual identifiers (names, email addresses, phone numbers, customer IDs). Check-in and platform engagement data. Transaction data only where an approved POS integration or operator-provided reconciliation source is enabled. Location data (check-in locations, business addresses). Behavioral data (check-in frequency, platform engagement). Device information (IP addresses, device types, browser information). Any additional data uploaded by the Data Controller through the platform.
Regulars may engage sub-processors to assist in providing the Service. Current sub-processors include:
Cluster Systems Inc. (8585 Décarie Boulevard, Montreal, Quebec, H4P 2J4, Canada) — Approved point-of-sale reconciliation, where enabled by the operator and partner access. Cluster processes data as an independent controller under its own privacy policy, available at clusterpos.com.
Amazon Web Services, Inc. — Cloud infrastructure and data hosting. Customer data is currently hosted in the AWS US East (Northern Virginia) region (us-east-1). AWS is certified under SOC 1/2/3, ISO 27001, and PCI DSS, and is contractually bound by AWS's Data Processing Addendum. International transfers from Canadian users are covered under the cross-border transfer disclosures in Section 9 of our Privacy Policy.
Google LLC (Google Analytics) — Website and product usage analytics. Only aggregated and pseudonymized event data is collected; IP anonymization is enabled and personal identifiers are not transmitted. Users may opt out via cookie preferences or the Google Analytics opt-out browser add-on.
A current list of sub-processors is maintained at legal@regularspass.com and will be provided on written request. Regulars will notify Data Controllers by email at least thirty days before engaging any new sub-processor with access to personal data, during which period the Data Controller may object on reasonable grounds related to data protection.
Regulars provides notice of any changes to sub-processors and ensures all sub-processors are bound by written contracts that impose equivalent data protection obligations. Data Controllers may object to the engagement of specific sub-processors by notifying Regulars in writing within ten business days of notification.
Regulars implements industry-standard security measures to protect personal data, including encryption of data in transit using TLS 1.2 or higher protocols and encryption of data at rest using AES-256 encryption. All data transmissions between the customer and Regulars servers are encrypted. Access to data is restricted to authorized personnel through role-based access controls.
Regulars maintains comprehensive information security policies, including employee training programs, incident response procedures, and regular security audits. All Regulars personnel with access to personal data are bound by confidentiality obligations. Access to customer data is logged and monitored for suspicious activity.
Data is hosted on Amazon Web Services (AWS) infrastructure, which provides enterprise-grade physical security, surveillance, and access controls. Data centers are located in geographically diverse regions to ensure redundancy and disaster recovery capabilities.
In the event of a confirmed or suspected data breach involving personal data processed by Regulars, we will notify affected Data Controllers without undue delay and no later than forty-eight hours following discovery of the breach. Notification will include details of the breach, the types of data affected, the number of individuals impacted, likely consequences, and measures taken or proposed to mitigate harm.
Regulars will cooperate fully with Data Controllers in investigating breaches, remediating impact, and fulfilling legal notification obligations to data subjects and regulatory authorities. Regulars will preserve evidence and log files necessary for forensic investigation and will provide a preliminary incident report within seventy-two hours of discovery.
Regulars recognizes the rights of data subjects under applicable privacy laws, including the right to access, rectification, erasure, portability, and objection to processing. Upon receiving a request from a Data Controller regarding data subject rights, Regulars will assist in fulfilling such requests within applicable legal timeframes.
Data Controllers are responsible for responding to direct requests from data subjects and must forward any requests to Regulars' legal team at legal@regularspass.com along with necessary context and documentation.
Personal data may be transferred to, stored in, and processed in countries outside Canada, including the United States. Regulars implements appropriate safeguards for international transfers, including Standard Contractual Clauses and supplementary measures as required under applicable law. Data Controllers are responsible for ensuring that international transfers comply with their jurisdictional requirements.
Personal data will be retained for as long as necessary to provide the Service and fulfill the purposes identified in this DPA. Upon termination of the service agreement or upon explicit request from the Data Controller, Regulars will delete or return all personal data within thirty days, unless retention is required by law.
Data Controllers may request deletion of specific data categories at any time. Regulars will process such requests and confirm completion within thirty days. Archived or backup copies will be deleted according to our standard data retention and backup lifecycle policies.
Regulars maintains comprehensive security controls and undergoes regular security audits by qualified third parties. We are working toward SOC 2 Type II compliance and will provide evidence of compliance upon request. Data Controllers may request information regarding our security posture and data protection practices at any time.
Regulars will cooperate with Data Controller security assessments, including completion of vendor security questionnaires, provision of audit reports, and participation in security reviews, subject to confidentiality protections for sensitive information.
Regulars is liable for damages arising from its processing of personal data in violation of this DPA or applicable privacy laws, subject to the limitation of liability provisions in our Terms of Service. Data Controllers are responsible for ensuring they have appropriate legal bases for data collection and that privacy notices are provided to data subjects. Regulars does not assume liability for Data Controller violations of their obligations under this DPA.
This DPA remains in effect for as long as Regulars processes personal data on behalf of the Data Controller. Upon termination of our service agreement, Regulars will cease processing personal data and will delete or return all personal data in accordance with Section 9 of this DPA.
This DPA is governed by the laws of the Province of Quebec, Canada. Both parties agree to submit to the exclusive jurisdiction of the courts of Montreal, Quebec, for resolution of disputes arising from this DPA.
For questions regarding this Data Processing Agreement or to report a data breach, please contact:
Regulars Inc. — Legal and Data Protection Team
Email: legal@regularspass.com
Address: Montreal, Quebec, Canada